I am trying to create a bucket policy that only allows me to get the objects of a bucket but only if I have a specific IP OR if I have the URL with the presigned parameters.
So far I have been trying this with no success (this means I am still unable to access it with the resigned URL if I am not in that SourceIp):
{
"Version": "2012-10-17",
"Id": "MyPolicy",
"Statement": [
{
"Sid": "MyRestriction",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "74.X.X.X/32"
},
"Bool": {
"aws:ViaAWSService": "false"
}
}
}
]
}
I have also tried with 2 statements for the 2 conditions separated with no success too.
The policy should meet the following conditions:
- If I have that IP, then I should be able to access the bucket https://mybucket.s3.us-east-2.amazonaws.com/sample.txt but also with the presigned URL.
- If I don't have that IP, then I should only be able to access it with the presigned URL.
Thanks in advance.